Below is an overview of some of the data protection and environmental laws and regulations applicable to the UK with which our services can help you comply:
Recent UK Legislation Changes
Data Protection enforcement in the UK has never looked so intimidating! 2010 will see a much tougher regulatory environment than before.
The Information Commissioner's Office (ICO) are involved in two Government consultations which will see the introduction of new penalties, unlike any seen before, for breaches of the data protection act (DPA) 1998.
Penalties being finalised include:
- Fines of up to £500,000 for serious contraventions of the DPA
- Prison Sentences for deliberate or negligent customer data leaks by individuals within an organisation.
The ICO has recently acquired the statutory right to audit Government Departments.
Monetary Penalty Notices and the ICO's Draft Code
This power is expected to come into force in April 2010. The legislation (section 55A, DPA) states that the ICO may serve a data controller with an MPN if satisfied that:
- there has been a serious contravention of the DPA and such contravention was of a kind likely to cause substantial damage or substantial distress; and
- it was either committed deliberately; or
- the data controller knew/ought to have known there was a risk that the contravention would occur and that it would be of a kind likely to cause substantial damage or substantial distress but failed to take reasonable preventative steps.
Data Protection Act 1998
This places direct PERSONAL responsibility on many company directors and managers to ensure the proper destruction of data.
The Information Commissioners Office advises that as a Data Controller, "You...must comply with the Act from the moment you obtain the data until the time when the data has been returned, deleted or destroyed. Your duties extend to the way you dispose of personal data when you no longer need to keep it – you must dispose of the data securely and in a way which does not prejudice the interests of the individuals concerned."
"Changes in an organisation’s circumstances do not reduce an individual’s rights under the Act. Even if an organisation goes out of business, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles."
Under the Act, a Data Controller is defined as any person "who decides how and why personal data is processed".
The Data Processor is defined as the person uses the data in the manner determined by the Data Controller . Eg. the Data Processor works for the Data Controller. It is the latter who carries the responsibility under the Act..
Below are some examples of situations which clarify how data destruction responsibilities might fall.
DPA Example 1:
Organisation A engages Company B which provides business services to administer Organisation A's employee payroll function. Organisation A also engages a marketing services firm, Partnership C, to carry out a satisfaction survey of its existing customers. Company B will need information about the Organisation A ’s employees, and the Partnership C will need information about its customers. Both B and C will be processing the information on behalf of Organisation A, and so they are both Data Processors. Organisation A will be the Data Controller in this case.
However, If Company B also provides staff recruitment services to Organisation A, it will be the Data Controller with regards to the information about employment candidates that it collects and stores. Likewise, if Partnership C provides outsourced telemarketing services to A, and buys in mailing lists as part of the service, then it will be the Data Controller.
Finally, B and C will, as a matter of course, also be processing personal data about their own employees and, in respect of that personal data, they will be Data Controllers.
DPA Example 2:
A travel agency is run as a partnership by Mr A and Mr B. As a consequence of a downturn in business, the travel agency ceases trading abruptly. Its premises are locked up and its computers and hard disks (which contain customer information) lie idle. Mr A and Mr B remain responsible for ensuring that their customers’ personal data remains secure and that whatever happens to it complies with the Data Protection Act. This duty will continue even if the partnership is dissolved.
Financial Services Authority
The FSA’s Principle for Business No 3 states that “a firm or organisation must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”. This can be applied to the organisation’s data protection obligations.
In the years between 2004 and 2008, the FSA levied fines of approximately £1.8 million in relation to lapses in data security. This rose to £3 million in one year during 2009.
Many UK companies that operate in the United States fall under this act and should take steps to ensure
compliance. The Sarbanes-Oxley Act makes corporate executives
explicitly responsible for establishing, evaluating and monitoring the
effectiveness of internal controls over financial reporting. This inevitably involves the IT department in auditing systems and data lifecycle management. Data destruction is a part of this. Data should be securely destroyed and records kept.
PCI DSS PCI Data Security Standard (PCI DSS)
The PCI Security Standards (PCIDSS) Council obliges organisations which process credit card or electronic payment information to comply with the following security requirements:
Once computer media is no longer required to be kept for commercial of legal reasons, it must be destroyed in one of the following ways:
- Shredding, incineration or, in the case of paper, pulping. This must make cardholder data stored on electronic media unrecoverable so that it cannot be reassembled
- Physical destruction of hard copy material should be confirmed to ensure it cannot be reconstituted
- Secure data wiping, degaussing or hard disc shredding should be utlilized to verify that cardholder data has been effectively rendered
- Storage containers in which items are destroyed prior to destruction should be secure with a lock.
The Environment Act
This places a duty of care on your organisation to ensure your redundant IT equipment is collected by a Licensed Waste Carrier who will take it to a licensed site for disposal, recycling or to be refurbished.
Waste, Electronic & Electrical Equipment Directive (WEEE)
All IT equipment and other electrical items must be recycled in line with the standards specified in the WEEE Directive. You may be prosecuted if you fail to comply with the regulations.
Forbids the export outside the OECD of redundant computer equipment which may be hazardous . There is a significant black market in ‘dumping’ used IT equipment in places such as east Africa.
Data Eliminate provides services which are compliant to: